nf_conntrack: table full, dropping packet
I actually saw this error in a Docker host, and Docker uses iptables and allof Docker’s iptables rules are added to the DOCKER chain. In this case though, it wasn’t the Docker iptables rules that were a problem, it is just that limits were reached in the connection tracking of the netfilter module. You might see this error in /var/log/messages or /var/log/kern –
The full error message looked like this –
May 29 09:10:37 docker kernel: [74350.150400] nf_conntrack: table full, dropping packet May 29 09:10:37 docker kernel: [74350.155361] nf_conntrack: table full, dropping packet May 29 09:10:37 docker kernel: [74350.160282] nf_conntrack: table full, dropping packet May 29 09:10:37 docker kernel: [74350.181547] nf_conntrack: table full, dropping packet May 29 09:10:37 docker kernel: [74350.184807] nf_conntrack: table full, dropping packet May 29 09:10:37 docker kernel: [74350.184913] nf_conntrack: table full, dropping packet
Resolution – increase maximum number of connections being tracked and/or reduce tracking timeouts. Look for these run time kernel parameters –
[root@kauai /]# sysctl net.ipv4.netfilter.ip_conntrack_tcp_timeout_established net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 27000 [root@kauai /]# sysctl net.netfilter.nf_conntrack_generic_timeout net.netfilter.nf_conntrack_generic_timeout = 60 [root@kauai /]# sysctl net.ipv4.netfilter.ip_conntrack_max net.ipv4.netfilter.ip_conntrack_max = 64268
These are the settings which resolved my issue, simply doubled the values –
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000 sysctl -w net.netfilter.nf_conntrack_generic_timeout=120 sysctl -w net.ipv4.netfilter.ip_conntrack_max=128536
To make this permanent, add the lines above to the /etc/sysctl.conf file.
References –
https://security.stackexchange.com/questions/43205/nf-conntrack-table-full-dropping-packet
